You can outsource services, but you can’t outsource risk: What rising cyber threats to service providers mean for leaders

What happened? 

CyberCX Intelligence has observed an increase in cyber campaigns targeting managed and professional service providers. In 2023, 1 in 4 cyber extortion attacks in Australia directly targeted organisations in the professional services or IT sector. Additionally, in a significant proportion of major incidents affecting other sectors, threat actors leveraged accesses from third-party IT providers to begin their attacks. Criminal and nation-state cyber threat actors view service providers as our economy’s Achilles’ heel. A successful compromise of just one service provider can open the door to a high-value victim or to the compromise, at scale, of hundreds of downstream organisations.

How could this impact me and my organisation? 

A cyber incident at a third-party service provider could expose your sensitive information, disrupt your critical business services, or result in a follow-on cyber attack against your organisation. Australian regulators are also increasingly focussed on supply chain governance. In a September 2023 speech, the ASIC Chair warned that third-party risk is one of the “weakest links in cyber preparedness”, and reminded directors that their cyber governance obligations extend to oversight across their organisation’s supply chain. For their part, service providers should expect stricter due diligence and controls from their partners in 2024 and a tightening regulatory environment. In late 2023 the Australian Government flagged extra cyber obligations for managed service providers, given the essential role they play in our critical infrastructure ecosystem.

What should I do? 

As we head into 2024, leaders across all organisations have an opportunity to recalibrate their approach to third-party risk, given the worsening cyber threat landscape. Considerations could include:

1.        Map: Does your organisation understand its supply chain dependencies? What third parties hold your data or have access to your data or business systems?

2.      Control: How do you assure that third parties comply with your organisation’s security standards and controls? What visibility do you have across your third parties’ backend security? How does your organisation minimise third party data holdings and accesses on a ‘least privilege’ basis? Could you further restrict or disable a third party’s access during a cyber crisis?

3.       Prepare: Do your organisation’s cyber incident and business continuity plans sufficiently cover third party scenarios? Are you conducting regular cyber incident exercises with your key third parties to test shared playbooks?

Security starts in the c-suite. Executives are high-value targets. Well-connected, they’re gateways to their organisation, sensitive information and professional network. High-profile, they’re easy to find. Trusted and influential, their brand is readily exploited. C-Suite Cyber helps business leaders master their cyber risk.

About CyberCX Intelligence

CyberCX Intelligence is a uniquely Australia and New Zealand focused capability. We have the information, access and context to give executives a decision advantage – whether that’s minimising their personal risk or leading their organisation’s risk posture.

Want more? Contact cyberintel@cybercx.com.au to explore how you could partner with cyber intelligence experts who speak your business language and know your sector. You can also subscribe to Cyber Adviser, our bite-sized monthly intelligence newsletter.